Profile picture
Sidharth R

10 Steps to Secure a New Linux VM

Updated: ⚬ Page views: 206

When you launch a new Linux VM, the level of security you really need depends on your use case. That said, there are some basic steps you can take right after provisioning a new VM, to improve it’s baseline security. Following these steps won’t make your server invincible, but it will make it safe and reduce exposure to common attacks.

1. Update your system

Newly deployed images can contain outdated packages with known vulnerabilities. Start by updating everything:

For Debian based systems (Ubuntu, Debian, etc.)

sudo apt update && sudo apt upgrade -y

For RHEL based systems (Amazon Linux, CentOS, RHEL, etc.):

sudo dnf update -y

2. Create a non-root user

Running all commands as root can be risky. It’s easy to make system-wide changes by mistake. It’s a good practice to create a new user with limited privileges and use that account for everyday tasks.

Debian based systems

sudo adduser <username>
sudo usermod -aG sudo <username>

This adds a new user and grants them sudo privileges (so that this user can perform administrative tasks when required).

RHEL based systems

sudo adduser <username>
sudo usermod -aG wheel <username>

On RHEL-based systems, the wheel group provides the same privilege level as the sudo group on Debian systems.

From now on, you can log in as this new user for day-to-day operations, using sudo only when administrative access is required. This keeps your system safer and helps prevent accidental mistakes.

3. Disable root SSH access

Attackers often target the root account first while attempting to gain unauthorized access. To reduce this risk, it’s best to disable direct root login over SSH. Instead you can use a regular user with sudo privileges to login.

  1. Open the SSH configuration file:

    sudo nano /etc/ssh/sshd_config

  2. Find the following line and update it to:

    PermitRootLogin no

  3. Save and exit, then restart the SSH daemon:

    For Debian based systems:

    sudo systemctl restart ssh

    For RHEL based systems:

    sudo systemctl restart sshd

4. Use SSH authentication

Passwords can be brute-forced. But keys can’t be not easily, at-least (unless Quantum computers become a practical usable thing!). On your local machine, generate an SSH key pair:

ssh-keygen -t ed25519

Copy your public key to the server:

ssh-copy-id <username>@<server_ip>

Test logging in. Once confirmed, you can disable password authentication (next step).

5. Disable password authentication

Once you can login using SSH, you can turn off password logins entirely:

sudo nano /etc/ssh/sshd_config

Set:

PasswordAuthentication no

Then restart SSH:

For Debian based systems:

sudo systemctl restart ssh

For RHEL based systems:

sudo systemctl restart sshd

This eliminates brute-force password attacks.

6. Enable a firewall

Control what traffic reaches your VM. For Ubuntu, use UFW:

sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw status

For CentOS/RHEL:

sudo systemctl enable firewalld
sudo systemctl start firewalld
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload

Only open ports that your applications require.

7. Change default SSH port (optional)

Moving SSH from port 22 to a non-standard port won’t stop attacks but reduces noise from bots.

sudo nano /etc/ssh/sshd_config

Change:

Port 2222

Restart SSH and update your connection command:

ssh -p 2222 <username>@<server_ip>

8. Set up Fail2Ban

Fail2Ban helps block repeated failed login attempts automatically.

sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

It monitors log files and bans IPs that show malicious signs.

9. Limit privileges with sudo

Only give sudo access to trusted users. You can also restrict specific commands by editing the sudoers file:

sudo visudo

Add rules like:

<username> ALL=(ALL:ALL) /usr/bin/systemctl

This grants access only to the specified command.

10. Set up automatic backups and monitoring

Security isn’t just about prevention. It’s also about recovery and awareness.

  • Use a monitoring tool (e.g., Prometheus, Grafana or simple uptime checks).
  • Set up automatic backups of configuration files and data volumes.
  • Regularly review /var/log/auth.log or use centralized log management.

Bonus Tips

  • Keep SSH keys protected (chmod 600 ~/.ssh/id_ed25519).
  • Use tools like Lynis or Chkrootkit for periodic security audits.

Wrapping Up

These steps will not make your server invincible, but they certainly give your VM a baseline security. With these security measures in place, you can prevent common attack vectors such as bots scanning for open ports or brute-forcing SSH credentials.

Once you’ve secured the basics, you can move on to advanced server hardening like intrusion detection, container isolation, or SELinux/AppArmor.